bug 451 fixed: problem with auto login

- add an auto_login_key in users_table - $conf['session_length'] is no more useful and sessions length will be 0 (until browser closed) - add $conf['remember_me_name'] for cookie remember name git-svn-id: http://piwigo.org/svn/trunk@1493 68402e56-0260-453c-a942-63ccdbb3a9ee
2026-03-28 17:42:57 +01:00 · 2006-07-23 15:25:49 +00:00
parent e3c4d79f5b
commit 5d06d43541
6 changed files with 107 additions and 12 deletions
--- a/identification.php
+++ b/identification.php
@@ -71,6 +71,34 @@ SELECT '.$conf['user_fields']['id'].' AS id,
    array_push( $errors, $lang['invalid_pwd'] );
  }
 }
+elseif (!empty($_COOKIE[$conf['remember_me_name']]))
+{
+  $cookie = unserialize(pwg_stripslashes($_COOKIE[$conf['remember_me_name']]));
+  $query = '
+SELECT auto_login_key
+  FROM '.USERS_TABLE.'
+  WHERE '.$conf['user_fields']['id'].' = '.$cookie['id'].'
+;';
+
+  $auto_login_key = current(mysql_fetch_assoc(pwg_query($query)));
+  if ($auto_login_key == $cookie['key'])
+  {
+    log_user($cookie['id'], false);
+    redirect(empty($redirect_to) ? make_index_url() : $redirect_to);
+  }
+  else
+  {
+    // Hacking attempt!
+    $query = '
+UPDATE '.USERS_TABLE.'
+  SET auto_login_key=\''.$auto_login_key.'\'
+  WHERE '.$conf['user_fields']['id'].' = '.$user_id.'
+;';
+    pwg_query($query);
+    setcookie($conf['remember_me_name'], '', 0, cookie_path());
+    redirect(empty($redirect_to) ? make_index_url() : $redirect_to);
+  }
+}
 //----------------------------------------------------- template initialization
 //
 // Start output of page
--- a/include/config_default.inc.php
+++ b/include/config_default.inc.php
@@ -312,13 +312,13 @@ $conf['session_save_handler'] = 'db';
 // creates a cookie on client side.
 $conf['authorize_remembering'] = true;

+// remember_me_name: specifies the name of the cookie used to stay logged
+$conf['remember_me_name'] = 'pwg_remember';
+
 // remember_me_length : time of validity for "remember me" cookies, in
 // seconds.
 $conf['remember_me_length'] = 31536000;

-// session_length : time of validity for normal session, in seconds.
-$conf['session_length'] = 3600;
-
 // +-----------------------------------------------------------------------+
 // |                                debug                                  |
 // +-----------------------------------------------------------------------+
--- a/include/functions_session.inc.php
+++ b/include/functions_session.inc.php
@@ -71,11 +71,8 @@ if (isset($conf['session_save_handler'])
    ini_set('session.use_only_cookies', $conf['session_use_only_cookies']);
    ini_set('session.use_trans_sid', intval($conf['session_use_trans_sid']));
  }
-  session_name( $conf['session_name'] );
-  session_set_cookie_params(
-      ini_get('session.cookie_lifetime'),
-      cookie_path()
-    );
+  session_name($conf['session_name']);
+  session_set_cookie_params(0, cookie_path());
 }

 // cookie_path returns the path to use for the PhpWebGallery cookie.
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -551,12 +551,34 @@ function get_language_filepath($filename)
 function log_user($user_id, $remember_me)
 {
  global $conf;
-  $session_length = $conf['session_length'];
+
  if ($remember_me)
  {
-    $session_length = $conf['remember_me_length'];
+    // search for an existing auto_login_key
+    $query = '
+SELECT auto_login_key 
+  FROM '.USERS_TABLE.'
+  WHERE '.$conf['user_fields']['id'].' = '.$user_id.'
+;';
+ 
+    $auto_login_key = current(mysql_fetch_assoc(pwg_query($query)));
+    if (empty($auto_login_key)) 
+    {
+      $auto_login_key = base64_encode(md5(uniqid(rand(), true)));
+      $query = '
+UPDATE '.USERS_TABLE.'
+  SET auto_login_key=\''.$auto_login_key.'\'
+  WHERE '.$conf['user_fields']['id'].' = '.$user_id.'
+;';
+      pwg_query($query);
+    }
+    $cookie = array('id' => $user_id, 'key' => $auto_login_key);
+    setcookie($conf['remember_me_name'],
+	      serialize($cookie), 
+	      time()+$conf['remember_me_length'],
+	      cookie_path()
+	      );
  }
-  session_set_cookie_params($session_length);
  session_start();
  $_SESSION['pwg_uid'] = $user_id;
 }
--- a/install/db/26-database.php
+++ b/install/db/26-database.php
@@ -0,0 +1,47 @@
+<?php
+// +-----------------------------------------------------------------------+
+// | PhpWebGallery - a PHP based picture gallery                           |
+// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
+// | Copyright (C) 2003-2006 PhpWebGallery Team - http://phpwebgallery.net |
+// +-----------------------------------------------------------------------+
+// | branch        : BSF (Best So Far)
+// | file          : $RCSfile$
+// | last update   : $Date: 2006-07-23 14:17:00 +0200 (dim, 23 jui 2006) $
+// | last modifier : $Author: nikrou $
+// | revision      : $Revision: 1492 $
+// +-----------------------------------------------------------------------+
+// | This program is free software; you can redistribute it and/or modify  |
+// | it under the terms of the GNU General Public License as published by  |
+// | the Free Software Foundation                                          |
+// |                                                                       |
+// | This program is distributed in the hope that it will be useful, but   |
+// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
+// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
+// | General Public License for more details.                              |
+// |                                                                       |
+// | You should have received a copy of the GNU General Public License     |
+// | along with this program; if not, write to the Free Software           |
+// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
+// | USA.                                                                  |
+// +-----------------------------------------------------------------------+
+
+if (!defined('PHPWG_ROOT_PATH'))
+{
+  die('Hacking attempt!');
+}
+
+$upgrade_description = 'add an auto login key in users table';
+
+// add column auto_login_key
+$query = '
+ALTER TABLE '.PREFIX_TABLE.'users
+  ADD auto_login_key varchar(64) NOT NULL
+;';
+pwg_query($query);
+
+echo
+"\n"
+. $upgrade_description
+."\n"
+;
+?>
--- a/install/phpwebgallery_structure.sql
+++ b/install/phpwebgallery_structure.sql
@@ -1,4 +1,4 @@
-- MySQL dump 9.11
+1-- MySQL dump 9.11
 --
 -- Host: localhost    Database: pwg-bsf
 -- ------------------------------------------------------
@@ -345,6 +345,7 @@ CREATE TABLE `phpwebgallery_users` (
  `username` varchar(20) binary NOT NULL default '',
  `password` varchar(32) default NULL,
  `mail_address` varchar(255) default NULL,
+  `auto_login_key` varchar(64) default NULL,
  PRIMARY KEY  (`id`),
  UNIQUE KEY `users_ui1` (`username`)
 ) TYPE=MyISAM;